Sometimes it feels that the only way you can meet people is online. Often that means that if you want to date, you get accounts on dating sites. And sometimes you meet someone you like and perhaps you exchange photos. If you did that on the dating app Jack’d, you may be accidently letting some dude named Jack get access to your photos, whether you want him to have them or not. To add insult to injury, the popular dating site, Coffee Meets Bagel, also announced a data breach of about 6.2 million members who entered information into the website prior to May of 2018. And there’s more. OKCupid announced recently that a critical flaw in the app may allow the theft of credentials that can lead a man-in-the-middle attack or allow the criminal to completely take over a victim’s app.

A researcher found a security vulnerability with the dating (sometimes called hookup) app called Jack’d. It was reported to the developer of the app, but has not yet been fixed. It essentially gives, anyone wanting to see them, access to all the photos without authenticating to the app. All one needs is a web browser and all photos, private or otherwise, can be accessed.

For the time being, if you do use this app, consider just deleting your photos for now and be cautious of what you chat about or post to the app. This goes with any online site, be it dating or even messenger services. Remember that even if the site has all the indicators that it’s secure, it doesn’t mean it is 100% safe to put whatever you want on it. You should consider anything you post to the Internet there forever and available to anyone, regardless of the security settings.

The Coffee Meets Bagel user data showed up on the Dark Web earlier a few days before Valentines, which meant those users got their notification of the breach as a nice treat, ironically on Valentine’s Day.

Make sure your apps are kept updated at all times, you change your passwords regularly and use strong ones. In addition, by all means, use dating apps and social media if you desire. Just use caution about what you put up there. You never know who may see it in the future. Once someone shares or even comments on something you post, you lose control over it. Once you send a picture to a potential date, it’s gone for good and you never know what will be done with it after that. That’s important to note, especially, for example if you are looking for a job in the future. You don’t want those things to come back and haunt you.

Vulnerabilities in dating and hookup apps, as well as online dating sites is not a new phenomenon. Adult Friend Finder has been hit a couple of times and famously, the “cheating” app Ashley Madison was breached with the attackers threatening to out those who had profiles if the owners didn’t remove the site completely. The group responsible for the hack followed through.

Phishing, smishing and vishing–oh my! All three of these hacking exploits take plenty of cues from social media websites. These websites give hackers insight and plenty of ammunition to execute highly successful attacks. Information on social media gives hackers the advantage of gleaning personal details about potential victims. This allows them to specifically target individuals based on what they’ve learned about them, including names of friends and contacts, groups or special interests. Armed with that information, emails (phishing), texts (smishing), and phone calls (vishing) are used to pry all kinds of sensitive data from their targets. They use infected attachments, bogus websites, promises of money, threats, and anything else that can motivate a recipient to give up sensitive data. Once that happens, hackers are off to the races–stealing money, credit cards, buying cars and houses–using any way they can get the goods.

We now know that hacks on Facebook alone have exposed the personal data of millions of its users. But it’s not only social media hacking that steals information. Social media sights contain huge amounts of insights about their users, much of it provided by the users themselves. How can chatting with friends, innocent posts, and fun pics possibly be used against you? Very easily. Hackers troll these sites and target account holders and their contacts with specific topics designed to get a response. That photo with a car in the background gives up a license plate number–leading hackers to steal your data from the DMV. Even a picture from inside of a home with a smart device visible can be a jackpot. Hackers isolate and blow up its detail to get the device model and serial numbers. They can trace that data and hack the device. Before you know it, a hacker is contacting you via phishing, smishing, or vishing–demanding a ransom to get your smart home back from his grip.

We all agree social media provides a ton of details. And since the devil is in those details, Proofpoint provides tips to keep individuals from becoming their own worst enemies on social media.

Spot the bot. They are out, there and hackers aren’t afraid to use them. Bots aggressively spread misinformation, especially via Twitter and Facebook. Look for fake accounts using random names and numbers that frequently repost items, especially if they never provide any original content. Also, be aware of random content popping-up that has nothing to do with the discussion at hand. Bots are infamous on dating apps, but if you pay attention even just a little, you can spot your potential “love interest” as a bot.

Question questionable advertisements. Bogus ads are designed with you in mind, and the smart thing to do is a little investigating of the sender. Facebook has an “Info and Ads” option that provides information about the sender, including the source of the ad. If it’s at all questionable, discard it–many of these ads are phishing attempts.

Don’t fall for click-bait with links on Twitter Direct Message or Facebook Messenger unless you know they are from reputable sources. Deceptive links are often loaded with malware and links to phishing sites.

Check your filter settings. Twitter and email accounts and others have filters to catch spam, bots, and questionable senders. Put the filters on effective settings that you are comfortable using.

Data Breach May Redefine How Breach Investigations Proceed In The Future

Published January 2, 2019

That another data breach was announced recently isn’t necessarily a breaking news story anymore. However the breach that happened between January and November of 2018 in the San Diego Unified School District was unique in one significant way. It wasn’t that the hacker got ahold of a lot of personally identifiable information (PII) before being stopped, but it was how the investigation into the intrusion was handled which may actually have an impact on how data breaches are handled in the future. Although it has a somewhat positive outcome, was it really the right thing to do?

First, let’s get to the facts we know:

500,000 students and staff were affected, dating back to the 2008-2009 school year.

The intruder lurked around in the school district’s system from January to November 2018.

The intrusion was discovered in October 2018.

The hacker is thought to have gained access to over 50 district employee accounts

The intruder gained access when someone fell victim to a phishing attack, where authentic looking emails included a link that redirected the user to a fake login page. On that page, the user entered network credentials giving access unknowingly to the attacker.

Remember never to click links or attachments that you are not expecting. Contact the sender by phone, paying a personal visit, or by completely newly created email message to confirm the link before opening. Replying to the sender will likely just send you back to the hacker, who will indeed confirm it, if you choose that method. That’s why a new message is the way to go, if you want to use email for confirmation. If you don’t know the sender, don’t bother clicking or confirming. If it truly is important, they’ll contact you again.

We don’t know what the email stated, but it was apparently authentic enough that some fell for it. If you are ever asked to verify account information or credentials, go directly to the related account and do so, rather than clicking a link in an email message.

The district has been contacting affected individuals, but it’s recommended that everyone in the school district keep a close eye on credit reports and health benefits statements. If you have the option to freeze your credit, you should seriously consider it. Just keep in mind that freezing access to your credit reports not only prevents potential fraudsters from gaining access to them, but it also prevents you from getting to them as well for purposes of getting credit or applying for jobs or housing, for example. If you can’t freeze it, consider putting credit monitoring on it, just to be safe. This won’t prevent fraud, but it will give you a head’s up sooner so you can react to it. This goes whether you were notified specifically or not.

So what was unique about this one? Well, the IT team of the district noticed the hacker in October, but didn’t immediately lock him or her out. Instead, they kept watch to see what was happening. While this may have given the criminal more time to steal more information and perhaps get it listed on the Dark Web, it also gave the investigators more time to catch him or her. In fact, a suspect has been identified. No names have been released however, because the investigation is still ongoing, though the access of the intruder has been blocked.

In the future, perhaps this is the way investigations will precede for data breaches. If so, there is a chance that more of the perpetrators will be caught. However, the downside is that if they are not identified, they have the opportunity to collect and potentially sell more data. Is that the right direction? You can decide. It certainly gives us something to ponder.

We love social media these days. Facebook, Snapchat, Twitter, LinkedIn, and many others can lead to lots of sharing and fun, but also carry significant risks. This is particularly true now that cybercriminals are collating data and using it against us for targeting phishing attacks.
Online social networks may seem all in fun and harmless, but they are anything but that. Anyone participating in a social network online assumes some risk of becoming a victim of a con artist or other criminal. But this does not mean you should opt out of getting involved. It’s part of our society, and in some cases an important part of doing business. Just be aware of the risks and take action to avoid being a victim of identity theft or another cybercrime.

It’s always important to remember that once you put something on the Internet, it is there… forever. It never disappears, you can’t completely remove it, and there is nothing preventing your connections from sharing. Once that happens, you lose control of it. If someone in their network shares it, it will crawl even further into the Internet and there really is little to nothing you can do about it.

Therefore, always know who you are giving access to your personal information and if you don’t want them to share something, ask them not to or just don’t post it. Also, keep in mind that what you post can reflect on your business relationships as well. Even if you don’t connect with business contacts via social media, it can still get around and affect your business.
Pay attention to who wants to follow, friend, or share with you. Often cybercriminals will try to connect with people to learn about them, bring them into confidence, and then scam them. This may come in the form of attachments or links passed on once you are "friends" with that person. It may come in personal requests, such as asking you to send money via wire transfer or even gift cards to help with an emergency.

Any information found on the Internet may be used against you for nefarious purposes, so always think about what you post. And just because you use the highest privacy settings, doesn’t necessarily keep you safe. Assume that whatever you post is available to anyone on the Internet. Hackers of all types troll social networking sites to put together collections of information on specific targets. The information may be used for something completely unrelated to social media, but can do a lot of damage. For example, if you work with financials in your company and you share it on social media, you could be targeted for wire transfer fraud.

All of this may not only put you in physical danger, but it may also be used to create phishing messages and to send emails to people you know, including your co-workers. These email messages could contain malware. Once a link or attachment is clicked, it could unleash something nasty on the network. No one wants to be responsible for that.

A good example where criminals will often go to learn important information about you is LinkedIn. This social networking site is a great way to form business relationships, but is also often used by criminals to learn more about an organization's personnel. For example, LinkedIn can provide a would-be criminal with the employee names, job positions, job responsibilities, and even how long an employee has worked at the organization. This information can then be used by criminals to target "high risk" employees or even be used as part of a larger social engineering campaign.

Because all this information is now available to the public, you need to be even more diligent in detecting potentially malicious activity. From suspicious emails to phone calls, just because a person contacting you knows some personal information about you, does not mean they can be trusted. Don't be tricked into giving out even more information or opening links and attachments contained in emails. Always do an independent verification before disclosing any personal or sensitive details about yourself or your organization.

Think about how you use social media and how much information you want to share with the world. Because even if you think it’s just your “village” seeing the information, the reality is that it isn’t. It’s everyone, everywhere.

Generally speaking, there are two ways in which hackers and cybercriminals use social engineering to exploit social networks.

1. Attempting to get someone to install software on a computer or phone that will give them access to that device.

2. Gain someone’s trust in order to exploit personal connections and manipulate people through the social network.

People are the weakest link in cybersecurity and the savvy hacker will take advantage whenever possible. Following are a few tips to help you avoid becoming a victim of either of these:

Always use the strongest security settings possible on social media sites. For example, consider if you need to share your location. If it really isn’t necessary (and it usually isn’t), deactivate that option. Also be sure to limit who has access to your information. Don’t make it public to the world, but instead make it viewable only to those who are directly linked to you, keeping in mind that even that information is vulnerable once one of them sends it on. Some sites will allow you to customize lists based on what you are posting. This may be appropriate for some content.

Don’t post personally identifiable information (PII) on social networking sites. This includes your birthdate, phone number, and address. If you want to exchange that information, do it via private messaging or email. Never ever post your social security number or any banking or other financial details, not even through the site’s private messaging or email service.

If you use your smart phone to post photos to your social networking sites, turn off location services for your camera. Leaving this activated will give away your location. While you may think it isn’t a big deal to share your location, it can be. When you’re on vacation and sharing selfies with recognizable landmarks in the background, it would be a great time for someone to break into your house and steal all kinds of information.

Be aware of unsolicited contact from strangers. Often, scammers will try to get to know you and then scam you. This happens often with online dating sites. They may use social engineering such as to convince you they need money to help them get out of a bind, but they also may use you to spread malware. It’s reasonably easy to spoof someone’s email address and often the criminals will do this to try to get your friends, colleagues, and other contacts to click malicious links. People are more likely to click a link if they trust the one posting it. Therefore, use caution even when clicking links on social media from those you do know.

With the increase in popularity of private messaging services that are attached to the social media sites, such as Facebook Messenger, watch for private messages that arrive that include only a link, or have a vague description of what the link may contain. One that was seen recently was sent with text that addressed the recipient by name, “Bob, is this you?” Contained in the link was malware.

If a deal sounds too good to be true, it is. Cybercriminals use popular events and news stories as bait to get people to open infected email, visit infected websites, donate to fake charities, or purchase items that either don’t exist or that are counterfeit. Recently, someone impersonated Iron Man star, Robert Downey Jr. and scammed people out of their money by “personally” asking them to donate to his favorite charity. Other stars were used in such scams as well, such as Brad Paisley, Hugh Jackman, and Elton John. All had to send pleas out to fans not to fall for it.

Change your social networking passwords often. Studies have shown that even with all the password reuse issues and stolen credentials, 53% of social media users had not changed their passwords in over a year and 20% had never changed them. It’s recommended to do it quarterly and when doing so, don’t reuse one that you use on another site; especially one that you use for you financial accounts.

The bottom line is just to use caution when participating in social networks. They can be fun and useful and are likely here to stay. However, just use good judgment and common sense when partaking so you are not or don’t cause your company to be the next victim of fraud or identity theft.

In the biggest breach since it began 14 years ago, hackers once again struck the beleaguered Facebook and its users in September. This breach compromised millions of accounts. In hit after hit, the company once again faces criticism about how this latest breach happened. The only bright side Facebook had to report is that the hackers were not nation-state actors, but merely a group trying to make a buck. That’s an important point for Facebook to make, considering previous breaches by Cambridge Analytica and Russian-state actors.

Although it may be good news, it’s cold comfort to the millions affected by this latest hack. The Wall Street Journal reported the hackers behind the massive breach were a group of Facebook and Instagram spammers. The group was previously known to Facebook’s security team, hiding their identity as a digital marketing company. The data stolen can easily be used in targeted spam email attacks.

According to Barkley, email spam is still the number one delivery vehicle for most malware. When any breach happens, especially one the size of the latest Facebook hack, users need to be aware of increased spam email attacks. The information stolen from users gives hackers the personal data they need for targeted emails. They exploit specific user interests, contacts, and other information unique to a user. They easily masquerade as an email that is safe to open and follow links or download attached files. Once that happens, malware is on the loose, infecting devices and stealing even more sensitive data like passwords and financial information. After a data breach, users need to pay particular attention to emails catering to their personal lives, especially those with links or attachments. In these cases, curiosity is dangerous thing. Spammers know the easiest way to spread malware is through a socially engineered email attack. The more they know about a user, the more likely spam email will be successful.

If you are not expecting to receive a link, even if the message preceding it seems to have a very good handle on who you are, don’t click on it. That’s what these scammers and those like them want you to do. It doesn’t even matter who the sender may be, because if they have Facebook information, they may just know the information of a family member or good friend and pretend to be that person. So, instead of just clicking away, ask the sender in a text, completely new email message, or by phone call.

The extent of the hack, including just how many Facebook users were affected and how much personal information was compromised is still unknown. Although the estimates may vary, the true number of users affected may never really be known. Once data is compromised, it’s impossible to know where it goes, how many hackers have the information, and how long it will live in cyberspace–most likely on the Dark Web. For now, the responsibility for safety falls on the user. The need to be hyper-aware of spam email attacks needs to be an everyday way of cyber life and security. Enormous data breaches like the recent Facebook attack should be yet another warning to users that personal cybersecurity is more important now than ever.

Poor, poor Facebook. It’s a fun social media tool, but lately it seems everyone is just out to get it. In the most recent story, hackers announced they had found a way through Facebook’s security defenses and pulled private messages from 120 million user accounts and is putting it up for sale at $.10 a pop. Separately, experts at the cybersecurity company Digital Shadows said that more than likely, the users of around 81,000 accounts had their privacy breached. Precise numbers and claims, aside, the kicker isn’t the lack of Facebook security. Those hackers got the information from malicious browser extensions.

We’ve mentioned the risk of using browser extensions several times. They can be fun little tools and often very useful. However, they are also dangerous and this is another instance making that case. If you don’t need them, don’t use them…and most of the time, you really don’t need them.

It isn’t being disclosed what the specific browser extensions are to blame here, if it or they are even known, but a spokesperson for Facebook said they contacted browser makers to ensure that known malicious extensions are removed from their stores. But that doesn’t mean these or others won’t show up again. Make sure that if you are going to use extensions, regardless of whether it’s for Chrome, Firefox, Edge, or any others that you do the due diligence necessary to make sure, to your most confident level that they are not going to collect information and send it away without your consent.

Extensions can do a lot of stuff. They can monitor user activity on any webpage and send it away for marketing purposes, they can act as personal shopping assistants, can be games or puzzles, or can allow you to change the layout of a website to whatever tickles your fancy. But these and others can open up holes and allow hackers to capture information as well and sell it to the highest bidder, which is the case with this Facebook incident.

Also use caution about what information you put into Facebook or any social media or networking website. That information can be used against you in targeted phishing scams. The more the public knows about you (and if it’s on the Internet, it should be deemed available to anyone), the more likely you will click a link in an email message. But if you’re not expecting one, don’t click on it, no matter who sends it.

We use cookies to give you a more relevant browsing experience and improve our website. Using this site means that you agree with our use of cookies policy.

Chances are pretty good that you have heard the term business email compromise or BEC by now. It is a type of wire transfer fraud that the FBI has deemed one of the most prevalent types of scam going around these days. In 2017, there were over 15,690 complaints that resulted in total adjusted losses of more than $675 million. That is an 87% increase over 2016 and it is expected to continue to rise. The Identity Theft Resource Center (ITRC) reported that of the fraud related complaints reported in 2017, the most common type was wire transfer fraud.

Chances are pretty good that you have heard the term business email compromise or BEC by now. It is a type of wire transfer fraud that the FBI has deemed one of the most prevalent types of scam going around these days. In 2017, there were over 15,690 complaints that resulted in total adjusted losses of more than $675 million. That is an 87% increase over 2016 and it is expected to continue to rise. The Identity Theft Resource Center (ITRC) reported that of the fraud related complaints reported in 2017, the most common type was wire transfer fraud.

This Privacy Policy applies to and is provided on behalf of Stickley on Security. (collectively referred to as "We", "Us", or "Our") and describes Our information gathering
practices and policies in connection with this Site. We value your ("User", "You", or "Your") privacy and recognize the sensitivity of Your personal information. We are
committed to protecting Your personal information and using it only as appropriate to provide You with the best possible service, products, and opportunities. Use of this
Site constitutes consent to Our collection and use of personal data as outlined herein.

COLLECTION AND USE OF PERSONAL INFORMATION FROM SITE USERS

We collect personally identifiable information from Users who provide it to us for billing purposes. For example, We collect Your name, street address, city, state, zip
code, telephone number, email address, and financial information, such as a credit card number, if You use the Site to register or renew a license. We may use this
information to contact You regarding the status of Your account and orders placed, and to alert You to new information, products and services, events and other
opportunities. We recognize that You may wish to limit the ways in which You are contacted and provide You with opt-out options below. Information about Our experiences and
transactions with you, such as your payment history, types of services and/or products you purchased are not shared with organizations outside of Stickley on Security.

We will not disclose to third parties (that is, people and companies that are not affiliated with Us) individually identifying information, such as names, postal and e-mail
addresses, telephone numbers, and other personal information, except to the extent that it is necessary to process and provide You with Your order, license request or
other request. Your contact information may also be provided to the extent necessary to comply with applicable laws or legal processes (e.g., subpoenas), or to meet contractual obligations outlined in this policy, or to protect Our
rights or property. We will cooperate with all law enforcement authorities.

If Your order, license request or other request is processed by a third-party, or if You are provided with bulletin boards and chat rooms and/or email capabilities on
this Site, please note that in the event that You voluntarily disclose personally identifiable information in those instances, that information, along with any substantive
information disclosed in Your communication or post, can be collected, correlated and used by third parties. This may result in unsolicited messages from third parties. Such
activities are beyond Our control, and We encourage You to check the applicable privacy policy of such party when providing personally identifiable information.

For each visitor to this Site, Our server can detect and collect certain information, including the User's domain name and e-mail address, and can identify the Web pages the
User visited or accessed. We may use this information in order to measure interest in and use of the various areas of the site.

We do not knowingly solicit information from children and We do not knowingly market the Site or its services to children.

OPT-OUT

You may at any time opt out of having Your personal information used by Us to send You promotional correspondence by contacting Us via e-mail provided in the "Contact Us"
section below.

PROMOTION CODES

"Promotion codes" are offered by third-party affiliates of the Stickley on Security Training Videos. If you choose to include a "Promotion Code" when placing your order, the affiliate who is associated with that promotional code will receive your organizations name. They will NOT however receive any other information related to your account. The sharing of the organization name only applies when a "Promotion Code" is included during the order process.

USE OF COOKIES

1. First-party cookies
User input cookies to keep track of the user's input when filling online forms, shopping carts, etc., for the duration of a session, or persistent cookies limited to the duration of an operation such as purchase or trial;
User identification persistent cookies, to identify the user visited the website for the first time;
Authentication cookies, to identify the user once he has logged in, for the duration of a session;
user interface customization cookies such as time zone and shopping cart status info, for the duration of a session (or slightly longer).

2. Third-party cookies
social plug in content sharing cookies, for logged in members of a social network;
Google Analytics cookies to generate statistical data on how the visitor uses the website.

How do we use them?
Where strictly necessary. These cookies and other technologies are essential in order to enable the Services to provide the feature you have requested, such as remembering you have logged in.

For functionality. These cookies and similar technologies remember choices you make such as time zone and shopping cart info. We use these cookies to provide you with an experience more appropriate with your selections and to make your use of the Services more tailored.

For performance and analytics. These cookies and similar technologies collect information on how users interact with the Services and enable us to improve how the Services operate. For example, we use Google Analytics cookies to help us understand how visitors arrive at and browse our products, services and website to identify areas for improvement such as navigation, user experience, and marketing campaigns.

Social media cookies. These cookies are used when you share information using a social media sharing button or .like. button on our websites or you link your account or engage with our content on or through a social media site. The social network will record that you have done this. This information may be linked to targeting/advertising activities.

How can you opt-out?
To opt-out of our use of cookies, you can instruct your browser, by changing its options, to stop accepting cookies or to prompt you before accepting a cookie from websites you visit. If you do not accept cookies, however, you may not be able to use our Services.

Updates to this Cookie Policy
This Cookie Policy may be updated from time to time. If we make any changes, we will notify you by revising the "effective starting" date at the top of this notice.

INFORMATION SECURITY AND CONFIDENTIALITY

We maintain physical, electronic and procedural safeguards to prevent the unauthorized release of or access to Your personal information. When We transfer and receive
certain types of sensitive information such as financial information, We redirect visitors to a secure server. We do not store or reuse Your credit card information. We do
not record or manager financial information about You (including credit card and other payment information). However, such precautions do not guarantee that this Site is
invulnerable to all security breaks. We make no warranty, guarantee, or representation that the use of this Site is protected from viruses, security threats, or other
vulnerabilities and that Your information will always be secure. We cannot guarantee the confidentiality of any communication or material transmitted to/from Us via the Site
or e-mail. Use of the Internet is solely at Your own risk and is subject to all applicable local, state, federal, and international laws and regulations.

THIRD PARTY PROCESSING

Stickley on Security uses the vendor Authorize.net to process all payment transactions. When making a purchase on this site, You also accept the Terms and Conditions and
Privacy Policy of Authorize.net.

CONTACT US

This Privacy Policy may be updated periodically and posted on this Site. It applies only to Our online practices and does not encompass other areas of the organization. We
reserve the right to change this Policy at any time by posting revisions. By accessing or using the Site, You agree to be bound by all of the Terms of this Privacy Policy as
posted at the time of Your access or use. We reserve the right to contact Users of the Site regarding changes to the Terms and Conditions generally, this Privacy Policy
specifically, or any other policies or agreements relevant to the Site's Users. If You have any questions about this Policy, You may email to:

Keep up with the latest cyber security news through our weekly Fraud News & Alerts updates.
Each week you will receive an email containing the latest cyber security news, tips and breach notifications.

Simply complete the form below and you're all set.

You're all set!

You will receive your first official security update email within the next week.
A welcome email has also just been sent to you. If you do not receive this email within the next few minutes, please check your Junk box or spam filter to confirm our emails are not being blocked.